Our key areas of focus for the Regulatory Sandbox 2020-2021 


Innovations related to the Age Appropriate Design Code 


With the Age Appropriate Design Code coming into force on 2 September 
2020, ahead of a 12 month transition period, the ICO is keen to work directly 
with innovators through the Regulatory Sandbox. This will involve hands-on, 
intensive ICO support to the development of your product or service which 
has direct relevance to the rights and freedoms of children and young people 
online. 


Our aim is not to keep young people out of the digital world, but to protect 
and empower them within it. We want to enable young people to assert and 
be aware of their rights, whilst simultaneously protecting them by embedding 
data protection safeguards into products and services at the design stage. By 
working with organisations on relevant products and services, we want to 
explore specific issues innovators are faced with, to help inform further 
guidance and practical tools. We aim to support the industry in 
understanding ‘what good looks like’ when implementing the Code, 
particularly for smaller organisations with limited resources. 


Ultimately, our Regulatory Sandbox aims to support innovators to improve 
confidence amongst children, young people and their parents and carers that 
their personal information is being properly protected when they are 
engaging with digital services. This includes making sure that they are 
receiving an age-appropriate experience and their data automatically has the 
highest level of protections. We would be interested in hearing from 
innovators who would like to work with us to ensure the best possible 
standards in age appropriate design, and who are focusing on issues posed 
by implementation of the Code. 


We welcome any applications in this area but are particularly interested in 
the following areas of age appropriate design: 


e Age appropriate privacy information, including tailoring the right to be 
informed to different age groups, to enable transparency and 
understanding whilst not undermining the user experience. 

e How to provide age appropriate privacy information via connected toys 
and devices (where there is no screen). 

e Applications to enable increased control of personal data within 
connected toys. 

e Exploring systems to secure in-game communications between players 
to protect children from unwanted intrusions or a risk of grooming. 


e Exploring how to convey the best interests of the child or young 
person, and other AADC considerations within a data protection impact 
assessment (‘DPIA’). 

e Use of geolocation technology involving children and young peoples’ 
whereabouts, including in relation to COVID-19 tracking. 


Innovations related to data sharing, particularly in the areas of 
health, central government, finance, higher and further education or 
law enforcement 


Compliant data sharing is crucial to the operation of modern economies. It 
can also help protect the health and security of our citizens and promote 
research and innovation. 


As such, we are looking to use our Regulatory Sandbox to work directly with 
innovators developing products and services that support complex data 
sharing in the public interest, to help them attain compliance. 


Our aim is to promote and enable confident, responsible and lawful data 
sharing in the wider public interest. In particular, the Sandbox aims to help 
demonstrate that data protection legislation is not a barrier to proportionate 
sharing of personal data. 


Whilst we are open to any proposals on how to meet that wider aim, we 
would be particularly interested in hearing from innovators working in or with 
the health, central government, finance, higher and further education or law 
enforcement sectors. We want to hear from you if you are developing 
products or services which are likely to enable substantial public benefits, but 
where data sharing may, for example: 


e pose the highest risk to the public and to information rights; 

e involve the use of novel or innovative technologies; 

e involve the use of innovative data governance frameworks or data 
sharing platforms; and 

e involve the processing of sensitive personal data. 


